Biz & IT —

Microsoft cancels February Patch Tuesday despite 0-day in wild

Fixes are delayed until March 14.

As the second Tuesday of the month, Valentine's Day should have been a day for patches in addition to lovers. There's a known and widely publicized crashing flaw in Microsoft's SMB file-sharing protocol, and a fix for this bug (and, no doubt, several others) is widely anticipated. A few hours before the patches were due to go live, Microsoft announced that they were "delayed" due to an unspecified "last-minute issue."

The company now says that this delay means that the patches won't be coming in February at all. Instead, they'll be rolled into March's update, which should arrive on March 14.

In addition to the SMB fix, the now-March update will change the way patches are delivered for Windows 7, 8.1, Server 2008 R2, Server 2012, and Server 2012 R2: Internet Explorer's updates will now be delivered in a separate package from the OS fixes.

Microsoft is still silent on what the cause of the delay is. Sources have told Mary Jo Foley that there's some issue with the patch build system, but it's not at all clear why it should suddenly break, nor why Microsoft would only discover the problem at the last minute.

SMB should, of course, be blocked at the firewall, so the risk of remote exploitation of the SMB flaw should be relatively low. It's currently believed to only permit crashing of affected systems, so while it's inconvenient, it should not lead to system penetration or compromise. Nonetheless, being forced to wait another month for a fix for something so publicly known is an uncomfortable position to be in.

Of course, off-cycle updates are also unpopular, with many IT departments planning ahead of time and scheduling their testing and deployment around Microsoft's Patch Tuesday calendar; skipping a month and waiting until March may well be the easier solution for these organizations.